Data Protection Learnings from Across the Pond

From GDPR to LGPD

Okan Kibaroglu, Head of Governance GDPR to LGPD 26/08/2019

Agenda

• Your presenter • This is Imperial! • Principles to keep in mind • Our experience, a detailed synopsis; based on “principles” • Lessons Learnt About me

About me – Okan Kibaroglu

• Born in Turkey in 1966 • BSc and MSc in Computer Science from Bogazici University, Istanbul • Worked at different industries and management levels in IT since 1994 • At Imperial College for 14 years, and Head of Governance for 5 years • Married with three grown up children This is Imperial! 26/08/2019

Imperial College: Our Mission

Imperial College London’s mission is to achieve enduring excellence in research and education in science, engineering, medicine and business for the benefit of society. This is Imperial 26/08/2019

Our standing • Times Higher Education World University Rankings 2019: 9th overall, 3rd in UK • Times Higher Education World’s Most International Universities 2019: 9th in the world • QS World University Rankings 2019: 8th in the world • Research Excellence Framework (REF): 1st for high impact research of any UK university • Reuters Europe’s Most innovative universities 2019: 1st in UK, 3rd in Europe • The Guardian University Guide 2019: 1st for Career Prospects This is Imperial! 26/08/2019

History 1851–1890: Building on the Great Exhibition, Prince Albert supported the idea of South Kensington becoming the London Centre for Science and Arts. Constituent Colleges formed. 1907: Imperial College founded by merger of: • City and Guilds College • Royal College of Science • Royal School of Mines 1987: Management School formed (now Imperial College Business School) This is Imperial!

North 26/08/2019 West London Imperial Today Hospitals Nine campuses: • South Kensington • White City • Silwood Park • 6x Hospitals Silwood – Charing Cross Park – Chelsea & Westminster – Hammersmith – North West London Hospitals Campus – Royal Brompton – St Mary’s This is Imperial White City – a new era of discovery for Imperial, London and the wider world.

White City is home to the College’s major new campus, co-locating world-class researchers, businesses and higher education partners to create value from ideas. White City

Michael Uren Biomedical Translation & Engineering Innovation Hub Research Hub Invention Rooms Molecular Science Research Hub

Public Health Research This is Imperial! 26/08/2019

Our People Students 17,054 full-time (2017–18) • 9,767 – undergraduate • 3,812 – taught postgraduate • 3,475 – research postgraduate • Students from 132 countries Staff • 3,765 academic and research staff • 3,940 support staff Alumni Over 190,000 alumni This is Imperial

Our financial strengths

£1,033m £196m Total income Tuition fees and education contracts income

£364m £187m Research grants and College capital expenditure contracts income

(2017-18 Annual Report and Accounts) This is Imperial! 26/08/2019

Global Imperial • Imperial is one of the world's most international universities (9th in the world) according to Times Higher Education. • Around 60% of students and 40% of staff come from outside the UK. • We defend our international values. Following the EU referendum, we have provided extra support to our staff and students and increased our lobbying efforts. • Find out more: www.imperial.ac.uk/global This is Imperial

Imperial College London and Brazil

• 1,300 papers in 5 years with Brazilian co-authors • MoU with FAPESP for collaborative research in 2013 + 3 MoUs with unis • Collaborative research and joint PhD in Aeronautics and other areas • Strong industry partnerships: Energy Futures Lab -> Sustainable Gas Institute in 2014 • Recently: 3 Newton funded research + one GCRF project with Brazil

Principles General Awareness

Don’t forget Think, eat, ‘consent’ and sleep with ‘minors / Data vulnerable Protection individuals’ Show you are working towards LGPD

Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) Principles General Awareness

Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD

Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) Show you’re working

How did we show we are working?

• Identified the top-level accountable role – College Secretary – Also appointed as the SIRO (DP accountability at the highest level) • Preparations handled as a College-wide Project • Appointed an acting DPO during the project • Set up the Information Governance Steering Group • On G-day (25 May 2018) project wrapped up – permanent DPO appointed – day-to-day work commenced Information Governance Structure

Principles General Awareness

Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD

Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) Awareness

Awareness Courses • General Awareness is most important – Data Protection Awareness – Information Security Awareness • If ICO (ANPD) ever comes to audit or to follow up an incident, they will ask: – “How do you train your staff? Show us you records of training.” • These courses are now mandatory for new starters • If they are handling personal data (Researchers) – More specific and detailed training: Handling Sensitive Data • Consider a general awareness campaign

Policies and training – evidential weight

• We keep records of: – Online awareness training for Data Protection and Information Security – Also require an annual declaration of compliance with information governance policy framework • Don’t forget the people supporting you: IAOs, IAAs and DP co-ordinators – We provide classroom training and also keep records of those Principles General Awareness

Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD

Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) Information Security Data Protection

This Photo by Unknown Author is licensed under CC BY Policies and Procedures

Information Governance Policy Framework • Information Governance Policy Framework – overarching document – Information Security Policy – Data Protection Policy • Policy training and acceptance is essential – We have online awareness training for both – But not proving very effective – There are inevitable overlaps – Should we consider bringing them together? Policies and Procedures

Policy Detail -> Codes of Practice

• Information Security Policy • Data Protection Policy – Electronic Messaging – Handling Personal Data – Inspection of Electronic – Handling Patient Data Communications and Data – Access to Personal Data by – Passwords Data Subjects – CCTV – Information Asset Register – DPIA Principles General Awareness

Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD

Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) DPIA – Privacy by Design

Data Privacy Impact Assessment DPIA – Privacy by Design

Privacy by Design • Questions should be asked when designing a new process / product – Embed into your project process – Apply to existing information assets • Especially when: – Using new technologies to process data: near-field, RFID, etc. – Biometric / genetic data – Processing large amounts of data (big data); match / combine data – Profiling children or targeting with online marketing – Risk to individuals’ physical health and safety DPIA – Privacy by Design

Our DPIA Process Evaluate • Personal data? Process • Actions to reduce • Predict behaviour? risks • Large scale? • Describe data • Sign-off by IAO, processing • Vulnerable indiv’s? DPO and IT • Legal basis? Governance • Data flow Qualifying • Risks? Identify Questions Measures Principles General Awareness

Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD

Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) IAR

Information Assets

• A body of information, defined and managed as a single unit so it can be understood, shared, protected and used effectively

• Information Asset Register: a list / database of Information Assets showing: – Description, owner, accessibility – Whether its personal / sensitive or not – How it is kept secure – Retention IAR

Information Asset Owners

• One clear owner for every asset • Managing the asset in line with policies and standards (Protect it) • Responsible to identify, understand and manage risks (Protect proactively) – Who accesses the asset? – What functions do they access? (Roles) – What is the approval process for accessing? – How do we remove access? IAR

What information is kept in the IAR?

• Information Asset Owner • Does it contain personal data? • Information Asset Administrator • DPIA • Business criticality • Categories of data • Who has access? • Purposes for processing I • How is it stored? (Media type) • Legal justification for processing • Where is it stored? • Disposal arrangements A • How is it secured? • Data subjects aware? • How often is it backed up? • Staff trained in DP? • Is it taken off site? R • Policy awareness • Earliest date of recorded data • Incident reporting awareness? • Retention period

IAR

What about other data held outside IT Systems?

• You still need them in the IAR! • Carried out a big survey exercise to collect this data – Personal Data Assessment Questionnaire (PDAQ) • Sent to all departments by the DPO during project phase – Many responses from paper records to stand-alone electronic systems • Recorded them in the IAR, but revieweing them takes time • Takes a lot of resource and time to get right; start now! – Still not complete and accurate! Our information asset register

• Web-based system called Flowz (www.flowz.co.uk) • Importing all records of assets from ICT systems and GDPR analysis • Including purposes of processing • Ability to map flows from systems (to ensure control of data) • Risk-based reporting • Ability to upload documents – DPIA functionality on roadmap • Integrated with SSO… Principles General Awareness

Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD

Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) Data Breach

Reporting Data Breaches

• a breach in security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data – Accidentally sending data to wrong recipients – Phone / tablet / laptop lost or stolen – Device becoming vulnerable via virus or malware – Someone has access to data they should not have – Organisational data accidentally being leaked by a supplier • Every Data Breach form is received and processed by DPO • Include in training and provide clear information on when and how to report Principles General Awareness

Don’t forget Embed Data ‘consent’ and Protection ‘minors / into your vulnerable practices individuals’ Show you are working towards LGPD

Data Privacy Data Breach Impact (Violation) Assessments Reporting (DPIA) Know your information and processes (IAR) Consent and Minors

• Sometimes you may not have any other legal justification to process personal data; then receiving “consent” will be necessary – Freely given, clear, specific, informed and affirmative – Distinguishable from other matters – Capable of being evidenced – Capable of being withdrawn • Start thinking about verifying individuals’ ages • Ensure you have processes in place to get parental or guardian consent

Lessons Learnt

Impact of GDPR on Higher Education • Open season of Subject Access Requests did not materialise • Greater precision with consent at admissions stage • Revisiting consent for alumni and fundraising • Research – enabling regulation Lessons Learnt

Local issues

• A managed centre, but difficult to manage faculties – Academic freedom and information governance don’t go hand in hand • Awareness training did not reach majority of staff and students – Looking into dynamic policy delivery • Shadow IT – also Shadow IG • Retention – forever is not (always) an option • Responsible for data we have no visibility over • Intra- and inter-organisational movement of data How are we dealing with them?

• Data Protection Co-ordinators marshalling areas of college • Communications campaigns – An occasional data ‘amnesty’ • Embracing Shadow IG • Considering automated discovery tools • DP and IS training compulsory for new starters – Looking into using dynamic policy delivery to improve compliance Lessons Learnt

My two-penny-worth for you

• More than one year passed since 25 May 2018 • It was just another day! • Not under too much pressure or scrutiny • After all, we are the good guys • However, it only lasts until your first significant data breach • So, be ready! But, how? • Tighten security and increase awareness! The End

My thanks for their help and support to

• Edilson Lima, Nicole Rieckmann and Yuri Alexandro • Tim Rodgers, Compliance and Information Governance Manager at Imperial • Amer Mahmood, Head of Information Insights at Imperial The End

Thank you for your attention!